Professional Documents
Culture Documents
1 ITU-T X.805
Services layer
Infrastructure layer
2 To read more about MPLS encryption (also known as network group encryption), please read Network
group encryption: Seamless encryption for mission-critical networks
3 For read more about transport encryption (also known as layer 1 encryption), please read Secure optical
transport with the 1830 PSS Photonic Service Switch
IP/MPLS layer
IPSec
Transport layer
Microwave
Microwave
Optics
encryption
Optical encryption
Encrypted
tunnel
CCTV
VPN
Video
management system
User security
Being human is both the strength and weakness in cyber defense. On
one hand, a discerning mind can supplement security technology to spot
a network anomaly and stop an attack. On the other hand, a significant
percentage of security breaches can be traced back to human errors from
lack of compliance to unintentional configuration error to identify theft. When
such a security breach occurs, overall application security is violated.
A role-based user profile can be tailored to render the appropriate span of
control of the network and scope of command of network capability. As an
example, an application user is given only privileges to administer network
services, but not network infrastructure configuration, while a network
engineer, the reverse. This is an effective way to mitigate the possible damage
that can be inflicted by a user, advertently or inadvertently. Furthermore,
operators can impose checkpoints when network services are created,
4 To read more on firewalls for mission-critical networks, please read Nokia 7705 Service Aggregation
Router: Security overview for mission-critical networks
Work order
creation
Email
notication
Checkpoint No
awaits approval
Yes
Completes Rejects
work order work order
IP/MPLS
Primary LSP
Fast re-route tunnel
Standby LSP
IP/MPLS
Active pseudowire
Standby pseudowire
Secure node
A secure node is fundamental to provide a network with safe and reliable
connectivity to critical applications and to ensure network topology
confidentiality as well as data integrity and availability. Therefore it is crucial
to prevent attackers from snooping at or altering nodal configurations or
exploiting them as a launching pad to compromise endpoints and bring down
applications. Consequently, the nodes control plane, management plane and
physical ports need to be fortified to keep attackers at bay.
Control plane
Control ACL, protocol
authentication, GTSM
Intrusion detection
In addition to detecting intrusion at the packet or session layer by router,
firewall and other security appliance, physical intrusion detection at the
transport physical layer is equally crucial to protect overall data security.
In the past, fiber optics transmission was deemed to be secure. However,
with the right tools, fiber tapping is now surprisingly easy to perform.5 While
techniques such as optical encryption can safeguard data confidentiality and
integrity, the perpetrators can still lurk in the network without being detected.
By detecting optical signal loss and identifying its location through techniques
such as OTDR, the network can effectively scout out the presence of intrusion
and even its location. That this capability used to be available only in
specialized test equipment limits its applicability to regular fiber maintenance
and troubleshooting. However, as new-generation optical platforms start
to integrate such capability natively, operators can now monitor the whole
network continuously for intrusion (Figure 8).
5 Guide to Fiber Optics and Premises Cabling, The Fiber Optic Association, Inc.
Polling period
-19.0
t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 t17
-19.5
-20.5
Threshold
3 consecutive
-21.0 measurements
-21.5
-22.0
Major optical intrusion alarm raised Major optical intrusion alarm cleared
Summary
The operational environment of critical infrastructure is evolving in terms of
threats, technologies and compliance. Effective protection of critical assets
requires a layered defense-in-depth apXproach, employing a range of security
mechanisms jointly at different security layers based on the ITU-T X.805
security architecture. This structured approach enables operators to lay a
robust foundation for their security guidelines and best practices.
Nokia has real-world expertise developing field-proven cybersecurity best
practices with operators. Our industry-leading mission-critical networks
solutions not only deliver the required network reliability, performance and
scalability, they also serve as a bulwark defending against security threats and
attacks. Nokia can contribute significantly to your efforts to protect critical
infrastructure and address regulatory requirements.
Acronyms
AAA Authentication, Authorization and Accounting
ACL access control list
AES Advanced Encryption Standard
Nokia is a registered trademark of Nokia Corporation. Other product and company names mentioned herein may be trademarks or trade names of their
respective owners.
Nokia Oyj
Karaportti 3
FI-02610 Espoo
Finland
Tel. +358 (0) 10 44 88 000